The secrets service allows task cluster clients with appropriate scopes to write secrets securely, and in such a way that each secret is tied to a scope. Further, scopes are used to limit the operations a particular client may perform on any secret they have been granted access to.
The service expects the following to run periodically (daily?) to flush expired secrets:
NODE_ENV=production node lib/main.js expire
From the project's base
yarn install then
No special configuration is required.
Some of the tests will be skipped, but it is fine to make a pull request as long as no tests fail.
To run all tests, you will need appropriate Taskcluster credentials.
Using taskcluster-cli, run
eval $(taskcluster signin --scope assume:project:taskcluster:tests:taskcluster-secrets), then run
yarn test again.
This service is deployed as a typical Heroku application. The scheduler add-on is used to run the expiration process (described above).
After deploying a new version of this service, open up the tools site and sign in. Using the "secrets" tool, make sure you can read some secret that you have access to (that is, one listed in the UI).
Service Owner: firstname.lastname@example.org